
So here is a noob question (maybe even dumb?) but I need to ask it. I have a vue app which connects to my Appwrite instance using the API endpoint, project ID and it reads and writes using the Database ID etc. I guess those variabes have to be part of the front end in a production scenario. But how does Appwrite know which requests are legitimate and not? My vue-app does not really "authenticate" itself in any way. Is it through role/user settings in auth + limits to API calls per time unit? Can access to the endpoint and ID-strings above hurt me in production and do I have to hide/obfuscate them somehow (as we do with e.g. SMTP Keys using environment variables inside appwrite).

Hide API Endpoint, Project ID, Database ID etc in front end?

endpoint, project id, are fine to be public. it's the same as working with any sort of backend. the client MUST have this information in order to connect.
the best way to lock things down is by requiring authentication and setting up server side validation via permissions

Thanks @Steven ! This was my assumption, but didn't want to assume too much when it comes to these topics 🙂

Happy to help. And the most important thing is to not use API keys client side!
Recommended threads
- How To Send Email Verification From Serv...
How can I send email verification from server action or component after sign up in next.js ? Is there any way ?
- x-appwrite-user-jwt missing
Even for logged in users I can't see "x-appwrite-user-jwt" or "x-appwrite-user-id" in headers of an appwrite function. I'm trying to send "x-appwrite-user-id" m...
- ATTRIBUTE NOT SHOWING DELETE
Hi, I'm trying to delete an attribute in my collection but it won't delete, It's not even showing the delete when I click on the hamburger icon, Its showing onl...
